CISA KEV: Fix Deadlines
- CISA added eight exploited vulnerabilities to its Known Exploited Vulnerabilities catalogue, triggering urgent action. - Federal agencies were given fixed remediation deadlines of April 23 and May 4, 2026. - The update forces internal teams to map affected assets, owners, exceptions, and emergency-change evidence under pressure. (thehackernews.com)
CISA on April 20 added eight more bugs to its Known Exploited Vulnerabilities list, turning them into federal patch orders with deadlines days away. (cisa.gov) The new entries cover PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE Systems Management Appliance, Synacor Zimbra Collaboration Suite, and three Cisco Catalyst SD-WAN Manager flaws. CISA said all eight had evidence of active exploitation. (cisa.gov) The fixed dates now driving agency work are April 23, 2026, for the older CVEs and May 4, 2026, for the 2026 Cisco flaws, according to security reporting that matched CISA’s catalog update on Monday. (thehackernews.com) A Known Exploited Vulnerability entry is not a general warning list. CISA uses it for flaws with a CVE number, reliable evidence of attacks in the wild, and a clear fix such as a vendor patch. (cisa.gov) For Federal Civilian Executive Branch agencies, a KEV addition triggers Binding Operational Directive 22-01, a compulsory order to remediate by CISA’s due date on systems run directly or by third parties on an agency’s behalf. (cisa.gov) That is why this update lands as an operations problem, not just a vulnerability notice. Security teams have to identify exposed assets, name system owners, schedule emergency changes, and document any exceptions before the clock runs out. (cisa.gov) The Cisco entries arrive after CISA escalated SD-WAN risk in February. On February 25, 2026, the agency issued Emergency Directive 26-03 and told federal agencies to inventory affected Cisco SD-WAN systems, collect logs and snapshots, patch, and hunt for compromise. (cisa.gov) The list also mixes old and new software exposure. PaperCut’s CVE-2023-27351 was tied to ransomware activity in 2023, while Arctic Wolf said it saw likely exploitation of Quest KACE CVE-2025-32975 on internet-exposed, unpatched appliances starting the week of March 9, 2026. (thehackernews.com) (arcticwolf.com) CISA says the KEV catalog is the federal government’s authoritative list of vulnerabilities already being used by attackers, and it urges state, local, tribal, territorial, and private-sector defenders to prioritize the same fixes even when the mandate does not legally apply. (cisa.gov) By April 23 and May 4, this update stops being a catalog change and becomes a compliance test: patch the systems, prove the work, or explain why a live exploited flaw is still on the network. (cisa.gov)
